ASA Site to Site with 3560 switch and remote site

[lanman1865]

I have a site to site vpn tunnel between PIX and ASA. ASA is in data center(B). The pix is at a DR remote site.The core switch is a 3560 in (B) with static routes to our corporate data center(A), which is connected by a dedicated circuit(cisco 2600). The 3560 has a static route to the ASA for communication between the DR site and (B). I have communication between data center (B) and the DR site, but because of that static route the DR site has no communication to data center (A).

I'm not sure how to allow for communication to/from data center (B) to DR and allow from data center (B) to allow communication from the DR site to go to circuit to Data center (A).

 

[unclerico]

Do you have a single default route on the PIX in the DR site pointing to data center B?? Can you post some scrubbed configs??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[lanman1865]

10.251.193.133 is circuit router to DATACENTER(A)

PIX Version 8.0(2)19
!
hostname PIX
domain-name ABC

names

!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address A.B.C.D W.X.Y.Z
!
interface Ethernet1
speed 100
duplex full
nameif inside
security-level 100
ip address DRSITENET1(inside) 255.255.255.128
!
interface Ethernet2
nameif inside2
security-level 100
ip address
!
passwd NULL encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ABC
object-group network DATACENTER(A)
network-object 10.1.10.0 255.255.255.0
network-object 10.2.48.0 255.255.248.0
network-object 10.96.0.0 255.255.0.0
network-object 10.10.0.0 255.255.252.0
network-object 10.11.0.0 255.255.252.0
network-object 10.121.0.0 255.255.0.0
network-object 10.0.4.0 255.255.252.0
network-object 10.122.0.0 255.255.0.0
network-object 10.2.73.0 255.255.255.0
network-object 10.232.0.0 255.255.0.0
network-object 172.17.7.138 255.255.255.255
network-object 172.16.7.138 255.255.255.255
network-object 10.8.8.0 255.255.255.0
network-object 10.80.16.0 255.255.255.0
network-object 10.138.4.0 255.255.255.0
network-object 10.251.38.0 255.255.255.0
network-object 10.115.24.0 255.255.255.0
network-object 10.251.60.0 255.255.255.0
network-object 10.112.19.0 255.255.255.0
network-object 10.138.8.0 255.255.255.0
network-object 10.129.13.0 255.255.255.0
network-object 10.251.68.0 255.255.255.0
network-object 10.129.15.0 255.255.255.0
network-object 10.112.36.0 255.255.255.0
network-object 10.251.11.0 255.255.255.0
network-object 10.97.0.0 255.255.0.0
network-object 10.66.0.0 255.255.0.0
network-object 10.81.0.0 255.255.0.0
network-object 10.250.192.0 255.255.255.0
network-object 10.17.4.0 255.255.254.0
network-object 10.16.4.0 255.255.254.0
network-object 192.168.10.0 255.255.255.0
network-object 10.250.0.0 255.255.0.0
network-object 10.126.10.0 255.255.255.0
network-object 10.251.0.0 255.255.0.0
access-list DR extended permit ip DRSITENET1 255.255.255.0 ASA(B)NET1 255.255.255.0
access-list DR extended permit ip DRSITENET1 255.255.255.0 ASA(B)NET2 255.255.255.0
access-list DR extended permit ip DRSITENET1 255.255.255.0 object-group DATACENTER(A)
access-list nat0 extended permit ip DRSITENET1 255.255.255.0 ASA(B)NET1 255.255.255.0
access-list nat0 extended permit ip DRSITENET1 255.255.255.0 ASA(B)NET2 255.255.255.0
access-list nat0 extended permit ip DRSITENET1 255.255.255.0 object-group DATACENTER(A)
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 D.E.F.G 1
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 10.251.205.4 255.255.255.255 inside
http 10.251.205.14 255.255.255.255 inside
http 10.251.194.158 255.255.255.255 inside
http 10.251.205.3 255.255.255.255 inside
http 10.251.193.190 255.255.255.255 inside
no snmp-server location
snmp-server contact
snmp-server community *******
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set VPNset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address DR
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer ASA(B)
crypto map outside_map 10 set transform-set VPNset
crypto map outside_map 10 set reverse-route
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
tunnel-group ASA(B) type ipsec-l2l
tunnel-group ASA(B) ipsec-attributes
pre-shared-key
======================================================

ASA Version 8.0(4)
!
hostname asa1
domain-name ABC

names
name 10.251.193.23 serverC
name 10.251.193.21 DC01
name 10.251.193.28 serverB
name 172.16.4.2 serverD
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address ASAOUTSIDE 255.255.*.*
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.251.193.130 255.255.255.192
ospf cost 10
!
interface Ethernet0/2
speed 100
duplex full
shutdown
nameif intf2
security-level 0
no ip address
ospf cost 10
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.128
ospf cost 10
management-only
!
banner exec Welcome to Cisco ASA !!
banner login Please Login for Configuration of PIX
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
retries 3
timeout 3
name-server DC01
domain-name ABC
object-group network DATACENTER(A)
description VPN networks to and from Mt.Gilead
network-object 10.1.10.0 255.255.255.0
network-object 10.2.48.0 255.255.248.0
network-object 10.96.0.0 255.255.0.0
network-object 10.10.0.0 255.255.252.0
network-object 10.11.0.0 255.255.252.0
network-object 10.121.0.0 255.255.0.0
network-object 10.0.4.0 255.255.252.0
network-object 10.122.0.0 255.255.0.0
network-object 10.2.73.0 255.255.255.0
network-object 10.232.0.0 255.255.0.0
network-object 172.17.7.138 255.255.255.255
network-object 172.16.7.138 255.255.255.255
network-object 10.8.8.0 255.255.255.0
network-object 10.80.16.0 255.255.255.0
network-object 10.138.4.0 255.255.255.0
network-object 10.251.38.0 255.255.255.0
network-object 10.115.24.0 255.255.255.0
network-object 10.251.60.0 255.255.255.0
network-object 10.112.19.0 255.255.255.0
network-object 10.138.8.0 255.255.255.0
network-object 10.129.13.0 255.255.255.0
network-object 10.251.68.0 255.255.255.0
network-object 10.129.15.0 255.255.255.0
network-object 10.112.36.0 255.255.255.0
network-object 10.251.11.0 255.255.255.0
network-object 10.97.0.0 255.255.0.0
network-object 10.66.0.0 255.255.0.0
network-object 10.81.0.0 255.255.0.0
network-object 10.250.192.0 255.255.255.0
network-object 10.17.4.0 255.255.254.0
network-object 10.16.4.0 255.255.254.0
network-object 192.168.10.0 255.255.255.0
network-object 10.250.0.0 255.255.0.0
network-object 10.126.10.0 255.255.255.0

access-list DR extended permit ip DATACENTERNET1(B) 255.255.255.0 10.251.205.0 255.255.255.0
access-list DR extended permit ip DATACENTERNET2(B) 255.255.255.0 10.251.205.0 255.255.255.0
access-list DR extended permit ip object-group DATACENTER(A) 10.251.205.0 255.255.255.0

access-list nat0 extended permit ip DATACENTER(B) 255.255.255.0 10.251.205.0 255.255.255.0
access-list nat0 extended permit ip DATACENTERNET2(B) 255.255.255.0 10.251.205.0 255.255.255.0
access-list nat0 extended permit ip object-group DATACENTER(A) 10.251.205.0 255.255.255.0

pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu management 1500

ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 *.*.*.* netmask *.*.*.*
global (outside) 2 interface
nat (inside) 0 access-list nat0
nat (inside) 2 DATACENTER(B) *.*.*.*
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* serverD netmask 255.255.255.255
static (inside,outside) *.*.*.* serverB netmask 255.255.255.255
static (inside,outside) *.*.*.* serverC netmask 255.255.255.255
access-group UUS in interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
route inside DATACENTER(B) 255.255.255.0 10.251.193.129 1
route inside 10.251.194.0 255.255.255.0 10.251.193.129 1
route inside 172.16.4.0 255.255.255.248 10.251.193.129 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL
http server enable
snmp-server community *******
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300

crypto ipsec transform-set VPNset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 10 match address DR
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer DRSITEPEER
crypto map outside_map 10 set transform-set VPNset
crypto map outside_map 10 set security-association lifetime seconds 28800
crypto map outside_map 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 10 set reverse-route

crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=mgd-asa1
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
group-delimiter !
no vpn-addr-assign dhcp
telnet timeout 15

ssh timeout 60
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy UNILINUS internal
group-policy UNILINUS attributes
dns-server value 10.251.193.21 10.251.193.5
vpn-idle-timeout 720
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value na.int.grp
split-dns value domains

tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2

tunnel-group DRSITEPEER type ipsec-l2l
tunnel-group DRSITEPEER ipsec-attributes
pre-shared-key *
======================================================
cisco 3560
interface Vlan1
description MGMT VLAN
ip address 10.251.193.129 255.255.255.192
!
interface Vlan2
description PC VLAN
ip address 10.251.194.1 255.255.255.0
ip helper-address 10.251.193.3
!
interface Vlan3
description Server VLAN
ip address 10.251.193.1 255.255.255.128
!
interface Vlan4
description AP VLAN
ip address 10.251.193.193 255.255.255.192
ip helper-address 10.251.193.3
!
router eigrp 100
network 10.0.0.0
no auto-summary
!
ip default-gateway 10.251.193.130
ip classless
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 10.251.193.130
ip route 10.0.4.0 255.255.252.0 10.251.193.133
ip route 10.1.10.0 255.255.255.0 10.251.193.133
ip route 10.2.48.0 255.255.248.0 10.251.193.133
ip route 10.2.73.0 255.255.255.0 10.251.193.133
ip route 10.8.8.0 255.255.255.0 10.251.193.133
ip route 10.10.0.0 255.255.252.0 10.251.193.133
ip route 10.11.0.0 255.255.252.0 10.251.193.133
ip route 10.16.4.0 255.255.254.0 10.251.193.133
ip route 10.17.4.0 255.255.254.0 10.251.193.133
ip route 10.66.0.0 255.255.0.0 10.251.193.133
ip route 10.80.0.0 255.255.0.0 10.251.193.133
ip route 10.80.16.0 255.255.255.0 10.251.193.133
ip route 10.81.0.0 255.255.0.0 10.251.193.133
ip route 10.96.0.0 255.255.0.0 10.251.193.133
ip route 10.97.0.0 255.255.0.0 10.251.193.133
ip route 10.112.19.0 255.255.255.0 10.251.193.133
ip route 10.112.36.0 255.255.255.0 10.251.193.133
ip route 10.115.24.0 255.255.255.0 10.251.193.133
ip route 10.121.0.0 255.255.0.0 10.251.193.133
ip route 10.122.0.0 255.255.0.0 10.251.193.133
ip route 10.126.10.0 255.255.255.0 10.251.193.133
ip route 10.129.13.0 255.255.255.0 10.251.193.133
ip route 10.129.15.0 255.255.255.0 10.251.193.133
ip route 10.138.4.0 255.255.255.0 10.251.193.133
ip route 10.138.8.0 255.255.255.0 10.251.193.133
ip route 10.232.0.0 255.255.0.0 10.251.193.133
ip route 10.250.0.0 255.255.0.0 10.251.193.133
ip route 10.250.192.0 255.255.255.0 10.251.193.133
ip route 10.251.11.0 255.255.255.0 10.251.193.133
ip route 10.251.38.0 255.255.255.0 10.251.193.133
ip route 10.251.60.0 255.255.255.0 10.251.193.133
ip route 10.251.68.0 255.255.255.0 10.251.193.133
ip route 10.251.205.0 255.255.255.0 10.251.193.130
ip route 172.16.2.0 255.255.254.0 10.251.193.174
ip route 172.16.4.0 255.255.255.248 10.251.193.174
ip route 172.16.7.138 255.255.255.255 10.251.193.133
ip route 172.17.7.138 255.255.255.255 10.251.193.133
ip route 192.168.2.0 255.255.255.0 10.251.193.130
ip route 192.168.5.0 255.255.255.0 10.251.193.130
ip route 192.168.10.0 255.255.255.0 10.251.193.130
ip route 192.168.11.0 255.255.255.0 10.251.193.130